Since few weeks i was working on office 365 stuff including o365 applications teams ,onedrive and managing the mobile devices +windows (MDM/MAM) using intune.
while working on this ,i found that ,windows 10 devices that are applied with WIP policies ,internet is getting blocked (access denied) on 3rd party browsers like Google chrome,Firefox but it works fine on Edge, internet explorer browsers.
If you are trying to access internet on Firefox,chrome or any other browser (except IE or edge) ,you will hit the following error.
To know more about windows information protection ,read TechNet article https://docs.microsoft.com/en-us/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip
To use 3rd party browsers such as Chrome,Firefox , we need to define a Cloud Resource rule and pass through the /*AppCompat*/ variable. This is because when an unenlightened app like chrome,Firefox tries to connect to a cloud resource through an IP, Windows cant determine if it is a corporate location or a personal location, so the default behaviour for Windows is to block all connections. To resolve this you will need to simply add Cloud Resources like below, which defines the cloud resource locations you want to make as corporate.
To know more about how Unenlightened app, please read https://docs.microsoft.com/en-us/windows/threat-protection/windows-information-protection/app-behavior-with-wip
How do you allow 3rd party browsers to access internet (this is not protecting the data on the application but just to allow internet access )?
Login to www.portal.azure.com
Go to intune app protection, click on App policy (intune app protection – app policy) ,click on the windows 10 compliance policy (you will notice windows on the platform)
On the windows 10 app protection policy ,click on Advanced settings –click on cloud resources
Add |/*AppCompat*/ in the value field and click ok. There is no sequence to add this value ,you can add it anywhere .
Once you add the value, make sure you have tick mark on the right-side to make sure the changes are valid.
Click save for advanced settings .
Now users who are using the windows 10 devices should be able to access internet using 3rd party browses.
Hope it helps!
I setup the WIP policy and 3rd party web browser are not blocked.
I setup the Network perimeter according to the Microsoft document.
And I haven' t setup the /*AppCompat*/ for the cloud resources.
My experience is that I can still browse through Chrome and Firefox.
Is the behavior changed or I have missed in my setup?
I am not sure if there are changes to the WIP policy for 3rd party browsers but appcompat is required parameter , not sure if there was any changes to it lately.
WIP is set to sunset and will be replaced by windows DLP. For more information, please read the MS documentation https://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-end-of-support-guidance-for-windows-information/ba-p/3580091
How do you publish intranet sites to app proxy?
You will need to install Azure AD app proxy connector on-premise close to the apps servers and publish the apps.
you can follow this guide to publish the intranet site through app proxy. https://docs.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-configure-connectors-with-proxy-servers
Great!! that worked .However intranet sites are still not working on Google Chrome after adding /*AppCompat*/.
To access intranet sites using chrome on external networks, you must publish them via app proxy and try to use the external facing URL . You also need to add the extension of the app proxy that you configured into WIP policy.